CVE-2025-43814 — Sensitive Info Insertion into Sent Data in Digital Experience Platform

CWE-201 — Sensitive Info Insertion into Sent Data4 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 82.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedSep 22

Latest updateSep 23

Description

In Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions the audit events records a user’s password reminder answer, which allows remote authenticated users to obtain a user’s password reminder answer via the audit events.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal7.2.0 — 7.4.3.113

▶CVEListV5liferay/portal7.4.0 — 7.4.3.112

▶NVDliferay/digital_experience_platform2023.Q4.0 — 2023.Q4.9+2

▶CVEListV5liferay/dxp7.4.13 — 7.4.13-u92+2

🔴Vulnerability Details

OSV

Liferay Portal and DXP audit events record password reminder answers↗2025-09-23

▶

GHSA

Liferay Portal and DXP audit events record password reminder answers↗2025-09-23

▶

CVEList

CVE-2025-43814: In Liferay Portal 7↗2025-09-22

▶